January 08, 2008

Adobe and Omniture: Further details

As promised last week, a number of Adobe folks have been gathering information about Adobe desktop applications’ communications with a server named “192.168.112.2o7.net,” operated by Web analytics firm Omniture. Having already discussed what data is (and is not) being gathered and tracked, let’s talk about the history & purpose of the implementation.

The welcome screen (screenshot) that’s available in some Adobe CS3 applications (Flash, Fireworks, Dreamweaver, Illustrator, and InDesign) is designed to show fresh, relevant news and information. For that reason it loads a Flash SWF file that’s hosted on Adobe.com, just as a Web browser would do. When the SWF gets loaded, it pings the Omniture server to record the event. As noted previously, no personal information is uploaded in that exchange.

Some questions & answers:

Q.: Why does the SWF fetched into the welcome screen call the Omniture server?A.: All of the content fetched from Adobe.com does this. Adobe, like almost all companies with a Web presence, anonymously tracks usage patterns and response-time statistics. The only way to get effective data on this is to use client-side callbacks, and Adobe works with Omniture to do this. Hence the call to the Omniture server.

Q.: Why does Adobe use a server whose name is so suspicious-looking?A.: I’m afraid the answer is that we don’t really know. The fact is that this SWF tracking code already existed on the Macromedia side at the time the companies merged, and it was adopted without change by a number of products for CS3. The people who wrote the code originally did not document why they used that server name, and we can’t find anyone who remembers. I’m sorry we aren’t able to provide a more solid, definitive explanation.

Q.: Follow-on: Given that you can’t give a good reason why Adobe is using a server whose name is so suspicious, are you going to change the name?A.: Absolutely. We are working with Omniture on this right now, and will make this change as soon as we can. (I don’t know how long this will take, but will post here when I do.)

Longer-term (in future releases), we’ll do a better job of explaining what the apps are doing of the network and why. I think we can enable some really amazing user experiences by bringing the desktop & online worlds closer together, and that most people will want to participate in those. The key thing is that they be given the choice, and that they be made aware of what’s going on.

Does that make sense? All in all, I’m glad that people raised the issue; that we can explain what Adobe apps are doing; and that we can bear this experience in mind as we move forward.

J.

PS–A tech note is now live on Adobe.com, detailing the way the apps interact with the 2O7.net server.

January 02, 2008

What data do Adobe apps gather & upload?

As promised, a number of folks at Adobe have been digging into questions raised about what data is being gathered by Adobe applications, what’s being uploaded & tracked, etc. It’s an ongoing investigation, but in the interest of sharing info as quickly as possible, I’d like to pass along what we’ve gathered so far.

One of the most alarming claims (made by readers posting on Slashdot and elsewhere) is that Adobe apps are surreptitiously uploading users’ serial numbers. Adobe engineer Tobias Hoellrich has spent a bunch of time analyzing the issue and has posted his findings and methodology on his blog. Short story: "Based on my analysis, I don’t see any evidence that serial-numbers are being sent to either *.adobe.com or *.2o7.net." This info matches everything else I’ve been able to learn on the subject: the welcome screen SWF is not gathering/uploading serial numbers or other personal info.

There is one instance in which Adobe applications do upload a user’s serial number: during product activation. During that process (which has been around for roughly four years), an encrypted copy of the serial number is uploaded to the activation server. Note that activation is not the same thing as registration. The registration process (during which you supply your name, contact info, etc.) is optional and is not connected to activation (which does not include that kind of personal data). Details are available in the activation FAQ. None of this is new, nor is it related to the welcome screen SWF, but it’s worth mentioning for the sake of clarity & disclosure.

Tobias’s post doesn’t discuss the controversial "2O7.net" URL being in conjunction with the welcome screen SWF. Adobe staff are getting in touch with stats-tracking firm Omniture to get more info. As soon as I have more to share on that front, I’ll post it here.

December 28, 2007

What’s with Adobe & the shady server name?

Thanks for all the feedback on this morning’s post about Adobe, Omniture, and (non) spyware in CS3.

In truth, I think I did miss a key point: in this instance the objections seem to center not so much on whether Adobe apps are contacting a server, but rather that the server is named “192.168.112.2O7.net,” rather than something obvious and communicative like “adobestats.omniture.com.” People are rightly asking why that is, and unfortunately I don’t know the answer. I’m way out of my depth on the details of IP addresses, ports, etc., so I hesitate to comment further.

Instead I’ll work on getting some details from people with more expertise. Given where we are in the holiday period, it may take a little time. I’ll post more info as I get it. Thanks for your patience.

This is a great example of why I said that “Adobe could and should do a better job taking security concerns into account.” Even if an application’s behavior is ultimately innocuous, it’s important to be transparent and forthcoming about what’s going on. I don’t want software sneaking around behind my back any more than the next guy does, and Adobe (like all companies) needs to make sure it’s not abusing users’ trust.

[Update: I posted updates here and here. The complete set of posts is here.]

Adobe ate me baby!!

Ding ding ding! We have a winner.

Every year around this time, the online community latches onto some story (CS3 icons last year; “Microsoft to buy Macromedia” before that; etc.) and goes nuts with speculation. The specualtion is all the more thrilling given that the affected companies are only lightly staffed right now, making it hard to provide a meaningful response.

This year it’s “Lies, Lies, and Adobe Spies“–a story noting that some Adobe apps contact a Web address associated with Web analytics company Omniture. The story is getting echoed & amplified on Valleywag (“You’re not the only one watching what you do in Adobe Creative Suite 3… Adobe is watching you, too”), CenterNetworks (“I am not suggesting that Adobe is doing anything wrong…” but then “Shame on Adobe, shame“), Daring Fireball (“Assuming this is true, it’s a disgrace, whatever the actual reason for the connections” [emphasis added]), and I’m sure elsewhere.

Whoa, Nellie.

As I say, now is the perfect time for people to throw around whatever wild assertions they’d like, given that so many people are out of the office and can’t respond. Even so, I’ve been able to find out a few things. According to Doug Miller from the Adobe.com team, “Omniture is Adobe’s web analytic vendor for Adobe.com. There are only 3 places we track things via Omniture anywhere in or around our products.”:

The welcome screens (these things) in some Adobe apps include a Flash SWF file that loads current news, special offers, etc. These requests hit Adobe.com servers and are logged, like regular browser-based traffic, by Omniture.

Adobe Bridge embeds both the Opera browser and the Flash Player, both of which can be used to load Adobe-hosted content. These requests are also logged.

Adobe apps can call various online resources (online help, user forums, etc.), and those requests are logged. [Update: To clarify, those contacts are made only if the user requests them–e.g. by choosing Help->Adobe Exchange.]

This, as far as I’ve been able to discover, is the extent of the nefarious “spying.” If I learn anything else when more people get back on email, I’ll update this post.

Now, let’s get down to brass tacks:

There are plenty of reasons, from phishing to Facebook to the NSA, to be concerned about & to debate security & privacy. But when people cry wolf, making no apparent effort to find out the truth (yeah, let’s assume it’s a disgrace–and please don’t ask anyone at Adobe), they actually make it harder to pay attention to the significant issues at hand.

I’m a huge advocate of improving the desktop experience through online connectivity. There are lots of details to get right here as we work to find the right balance between privacy & connectedness. Let’s absolutely have those conversations–but let’s not drown them out with a bunch of shrill, irresponsible FUD. (That would be a disgrace.)

Adobe could and should do a better job taking security concerns into account. Including Apple’s Bonjour technology in CS3 apps was meant to make it easier for users to connect to their servers, but the company’s (unintentional) lack of communication caused people to suspect the worst (over the holiday break, naturally). It’s because we know what these technologies are doing that we may not remember to see them as others might, and to explain what’s going on (and what’s not). As I say, as the line further blurs between the desktop & online experiences, Adobe & all companies will need to do a better job communicating & giving users choices.

And so, at last, I’m pleading for a little common sense, and for people to give Adobe the benefit of the doubt–or at least to check the facts before screaming “Your Privacy Is An Illusion!”

PS–Tracking user habits can be a good thing that benefits customers by helping software creators notice trends & improve their tools. When Adobe has pursued this kind of thing, it’s always been on a strictly opt-in basis.PPS–I’m just miffed that if people are going to besmirch a whole company, they don’t also bother to extend the common courtesy of a crude Photoshop job. ;-)

January 04, 2007

CS3 doesn’t install spyware

That’s kind of a weird title, but there have been a few slightly freaked-outposts in the last couple of days suggesting that the Photoshop CS3 beta is installing spyware. The deal is that Photoshop uses Apple’s Bonjour technology to make it easy to connect to Version Cue servers. For more details, I consulted Thomas DeMeo, Director of Product Management for the team that creates Version Cue. Here’s what he had to say:

Adobe does not use spyware, period.

Since the inception of the Creative Suite (CS) family, Adobe provided a file collaboration tool with the introduction of Version Cue. Version Cue is a file management tool that is integrated in Adobe Photoshop, Adobe InDesign, Adobe Acrobat, Adobe Illustrator and other creative applications within the Creative Suite. It is client/server based. The clients are integrated into each of the applications and they all communicate with the Version Cue Server.

To make setup and configuration easier, Adobe uses Apple’s Bonjour technology to enable the connectivity to Version Cue servers on a local area network. Bonjour is widely used throughout Mac OS X and Windows in applications like iTunes and popular printers to allow users to set up a network service without any configuration.

From Photoshop or Bridge you can connect to a Version Cue server without having type in a IP address. It does not enable Photoshop or Bridge to do file sharing as this is done by the Version Cue Server. It does not send information over the Internet or to Adobe. When you click on the Version Cue area in the Adobe Dialog, the Bonjour daemon running on the local machine will browse for visible Version Cue servers on your subnet. You can then log in to access the file management capabilities of the Version Cue server. To request access to the Version Cue beta program, please contact Mike Wallen (mwallen at adobe dot com). For more info on Bonjour, see also this Apple developer FAQ and the entry on Wikipedia.

[Update 5/11/07: I saw the following info from Timo Naroska of the Version Cue team and thought it would be worth sharing:

Bonjour sends/receives packets to the multicast IP 244.0.0.251. Routers do not forward these packets outside the local network. Furthermore Bonjour pings the local DNS server to check whether it supports service discovery.

No critical information is ever transferred.

The user should usually allow Bonjour to connect the “internet” to seamlessly browse/connect Version Cue Servers in the local network.

If the user decides to block Bonjour internet access, automatic server discovery on the local network and the local machine are hampered. The user will have to connect servers manually by IP/DNS-name.]